Question about HSTS max-age

Created on 21 March 2024, 9 months ago
Updated 30 May 2024, 7 months ago

Hello,
I have installed the seckit module and am evaluation all the features and settings.
The HSTS Strict Transport Security settings has a default max-age of 1000 (seconds)
When I read about this feature all resources I find explain to use a much longer period, up to a year.
Is there a specific reason that 1000 was chosen as the default?
Greetings,
Rob

💬 Support request
Status

Active

Version

2.0

Component

Miscellaneous

Created by

🇳🇱Netherlands RobBNL

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @RobBNL
  • 🇨🇿Czech Republic Petr Illek

    @RobBNL I would asume it is a safe value for the start. When you use it the HSTS instruction is being stored outside your server in a central DB from where the browsers are taking the information. If you do have some misconfiguration, or issue with SSL certificate, it may render your site inaccessible for a long time. So it is better to start with a quick turnaround and when you are sure all is working properly, then you can set a longer period.
    Miminum max-age to be included in the preload database is 31536000 seconds (1 year).
    More info here: https://hstspreload.org/.

Production build 0.71.5 2024